Which SANS Course?

jfred1jfred1 Member Posts: 2 ■■■□□□□□□□
I hate to ask this question because it's so tough to answer, but I need some opinions.

I'm an experienced IT systems admin/engineer with over 17 years years experience.  Certified with lots of hands on with Microsoft-based networks, VMware vSphere, and Citrix XenApp/XenDesktop/NetScaler (and more).  Went back to school (WGU) for a degree in cybersecurity just for fun and am almost finished.

I'm going to take the SANS Undergrad Certificate next.  It includes SEC401/GSEC. SEC504/GCIH, and then an elective.  And that's where I'm stuck.  Any thoughts on which course to take for an elective?

I'm not necessarily looking to move jobs when complete but I am trying to consider which elective course/cert might provide the most benefit in transitioning into a dedicated infosec role should I choose to.

Options are: SEC501/GCED, SEC503/GCIA, SEC542/GWAPT, SEC560/GPEN, FOR508/GCFA, and ICS410/GICSP.

My initial thought was GPEN since I have an interest (and I've also started to play with CTF's on the side), but also considering GCED.  Maybe I should be considering others as well?

These are probably the only SANS courses I'll ever get to take so I'm trying to make the right choice.
Systems Engineer
Upcoming Goals: GCIA, CISSP, OSCP


  • johndoeejohndoee Member Posts: 152 ■■■□□□□□□□

    Have you applied and been accepted?

    From the looks of your signature, you haven't taken any GIAC exams in the past. 

    It's been people in recent history that have failed GIAC exams. I am not saying that you will. What I am saying is that you have to weigh difficulty vs interests. I probably wouldn't suggest GPEN being your first GIAC experience. 

    If I was in your shoes with the only "cyber"/"security" certification being eJPT and SSCP I would probably start at GCED. It's foundational knowledge and it's a higher likelihood of passing on the first go. If I were paying for this myself (which I don't recommend) I would go with where your heart is and that is GPEN. I would be less upset failing an exam I really wanted to get than one I was just checking the box with. 

    GICSP is more inline with industrial controls, so if I had to select that at some point in the curriculum, it would be last. 

    GPEN I have never heard anyone say they did CTF exercises then went and passed the GPEN. 

    GCFA/GCIA Are known to be difficult by most peoples standards. It is people on various forums who mention failing them and/or them being hard.

    The most benefit is going to show on job boards. Go to your favorite job board and put in each certification to find out which one gives you the highest hit.

    BUT a certification and no real world experience to most companies is like not having a certification at all. You can be a system administrator with 10 GIAC certifications. That doesn't mean you are going to pass an interview, or get past the HR filters. Most importantly the HR filters. 

  • yoba222yoba222 Member Posts: 1,237 ■■■■■■■■□□
    edited October 2019
    First off, congratulations on having to make such a "tough" life decision. Kind of liking being forced to pick one, and only one Rolex.  B)

    With 17 years of IT, a pending cybersecurity degree, and having a GSEC and GCIH under the belt -- you'll be set from a resume perspective to transition into an infosec role. So what's left is squeezing the most learning value you can from that final choice.

    That said, I wouldn't choose GPEN and maybe also not choose GWAPT. This is because there are other training courses out there that will provide an equal (probably better) learning experience for pentesting. I have the materials for both and they're definitely good, but what's missing is a lab to train in for several weeks/months. If I had only one shot, I'd do something else and get pentesting training from something like OSCP and/or eCPPT where you can log extensive lab time.

    Forensics from what I've seen from coworkers is a very specialized animal and you either do it or you don't, since forensics really involves chain of custody, court trials, viewing evidence that may be shocking and horrible, etc. You don't just casually do a forensics case. So I'd be wary on choosing that one.

    Industrial controls interests me too. No IT experience with, but I have the feeling that GICSP would largely be wasted if you don't plan to seriously work with industrial controls -- like buying stuff off eBay afterwards to practice on, etc.

    My vote is on GCIA or GCED. I've heard good things about GCIA and it's a hardcore blue team deep dive. I have no anecdotal information about the GCED though.
    A+, Network+, CCNA, LFCS,
    Security+, eJPT, CySA+, PenTest+,
    Cisco CyberOps, GCIH, VHL,
    In progress: OSCP
  • jfred1jfred1 Member Posts: 2 ■■■□□□□□□□
    I really appreciate both responses so far, johndoeeand and yoba22!

    To answer some questions, yes I've applied, yes I've been accepted, and no I'm not paying for it out of pocket (no loans either!).  These will be my first SANS courses and GIAC certifications.  I am far from new to IT, and to information security for that matter, but my exposure so far has been more hobby-oriented or tangentially related in the course of systems administration/engineering.

    Both responses are good, and as much as I would love to do GPEN some valid points have been made in that I can cover that area in other ways (like OSCP).  I will do more research and thinking on this, but you both may be onto something with the GCED recommendation!

    If anyone else has any opinions I'd like to hear them!
    Systems Engineer
    Upcoming Goals: GCIA, CISSP, OSCP

Sign In or Register to comment.